Permissions are lost after user saves record

redbox-mint / redbox-portal

The core ReDBox application including the web portal and APIs.

https://www.redboxresearchdata.com.au

GNU General Public License v3.0

7 stars 15 forks source link

Permissions are lost after user saves record #797

Closed moisbo closed 2 years ago

moisbo commented 3 years ago

When a user saves a record. The permissions on mongo are scraped Example (text edited)

Before:

    "authorization" : {
        "view" : [
        "nsIdBwb2jgAzVwEBL5guOBiObMcNI7sfJvSxlbrprzyqAnP7cOM8ppQWu4HdtaucUoMm7g6xWjqaPH4TntGHXEWbKgZTylDIFmse1WEOmzBRkQWjcQMd09U5mEqgElkxm9O=="
        ],
        "edit" : [      
      "nsIdBwb2jgAzVwEBL5guOBiObMcNI7sfJvSxlbrprzyqAnP7cOM8ppQWu4HdtaucUoMm7g6xWjqaPH4TntGHXEWbKgZTylDIFmse1WEOmzBRkQWjcQMd09U5mEqgElkxm9O=="
        ],
        "viewRoles" : [
            "Admin",
            "Librarians"
        ],
        "editRoles" : [
            "Admin",
            "Librarians"
        ],
        "editPending" : [],
        "viewPending" : [
            "Moises.Sacal@xxx"
        ]
    }

After:

    "authorization" : {
        "view" : [
            "admin"
        ],
        "edit" : [
            "admin"
        ],
        "viewRoles" : [
            "Admin",
            "Librarians"
        ],
        "editRoles" : [
            "Admin",
            "Librarians"
        ],
        "editPending" : [
            "Moises.Sacal@xxx"
        ],
        "viewPending" : [
            "Moises.Sacal@xxx"
        ]
    }

shilob commented 3 years ago

Hi @moisbo I presume this happens on a migrated record, or does it affect UI-created record as well?

moisbo commented 3 years ago

Thanks Shilo, Both.

When updating a recently migrated record and when creating a new record. The interesting thing is that when saving the record no view/edit info is saved. Only values are admin/admin

shilob commented 3 years ago

Hi @moisbo I cannot replicate this on my vanilla "backend-refactor" installation. From your sample record snippet, it seems the local 'admin' user is overwriting the authorization block? I've used the local 'admin' user to overwrite both local researcher-created DMP and a AAF researcher-created DMP, and in both instances, the records' authorization block weren't overwritten, the original user's username is still in the "view" and "edit" arrays.

Can you please provide more context and steps to replicate this issue? More is better, also a few questions:

Which branch are you using?
Which record type are you creating/editing?
Any custom hooks configured for this record type?
Any errors in the log?

Thanks!

moisbo commented 3 years ago

I think I've found the issue... The assignPermissions functions used in recordtype is caput 😄 in branch backend-refactor. This is using AAF

RecordsService.ts#L530

recordtype using pre-save hook sails.services.rdmpservice.assignPermissions

0|redbox-p | 2021-02-03 14:30 +11:00: debug: [
0|redbox-p |   {
0|redbox-p |     function: 'sails.services.rdmpservice.assignPermissions',
0|redbox-p |     options: {
0|redbox-p |       emailProperty: 'email',
0|redbox-p |       editContributorProperties: [Array],
0|redbox-p |       viewContributorProperties: [Array]
0|redbox-p |     }
0|redbox-p |   }
0|redbox-p | ]